1. 5

    Ubuntu breaking itself with updates while still being less secure than openbsd is what made me switch to Openbsd stable on my laptop. Everything just works, even months later, and was surprisingly easy to setup (Openbsd was a breeze for me compared to arch linux).

    1. 1

      Going from ubuntu to openbsd! What a jump haha How was the transition? I always imagine it very hard to make.

      1. 5

        I have been all over the place … something like ubuntu -> arch -> fedora -> debian -> ubuntu -> debian -> ubuntu -> openbsd.

        I just practised installing openBSD once in a VM to make sure I could get i3 working and after that there was no problem. The older I get, the more I appreciate things that don’t change under your feet.

        1. 5

          The older I get, the more I appreciate things that don’t change under your feet.

          So, there’s this OS called “Debian”… :-)

          1. 9

            I tried updating a Debian stable machine that I had not touched for six months. it blew up in my face. I’ve never had that happen with OpenBSD.

            ever

            1. 3

              As a counterpoint, I’ve had Debian machines that have gone through 10+ years of upgrades without problem. For example, i’m currently in the process of retiring a VPS that was first installed in 2005 (it’s only being retired as it’s still running a 32-bit userland, has become too much of a snowflake and needs to be rebuilt using configuration management tools).

              That said, I’ve never had a problem with the OpenBSD upgrade procedure either :)

              1. 1

                Agreed, debian stable is ok if you stick in the same stable version. Upgrading between stable releases can be… problematic.

                With openbsd its mostly just a matter of reading release notes to see what config files need to be looked at. I’ve never had a linux distro be as straight forward as openbsd in this regard. And that is why it runs all my routing duties.

                1. 1

                  Regular security or point release upgrades never break, so I imagine you’re talking of an upgrade to a new major release. Do you remember which version you’ve tried to upgrade to and what went wrong exactly?

        1. 5

          Is there any equivalent scheduler tool for Free/OpenBSD? To be honest, I like the ideas of kubernetes, but it seems over engineered (for what I need it for anyway).

          I was thinking perhaps https://www.nomadproject.io/ would work since it doesn’t depend on docker or containers, but I haven’t tried it yet. The main feature I care about is zero downtime upgrades (Perhaps I should have just used erlang instead of go).

          1. 4

            Perhaps I should have just used erlang instead of go

            We use k8s at work, and while it works well for us I very much get the feeling that it’s the Erlang version of Greenspun’s tenth law.

            1. 3

              I’ve been using nomad for go services and it works awesomely well. We use it with Docker only, BUT we tried without it and it worked perfectly too (still sticking to docker since we have other stacks and it’s nice to have a common interface). You definitely can try it very quickly by setting up consul and nomad in dev mode. In addition if doing HTTP, I’d advise you to check ebay/fabio that works just out of the box with Consul. I didn’t try but I bet those 3 work perfectly fine on BSD.

              1. 2

                I want to link nomad but there is a severe lack of “drivers” – if I want to use rkt or docker containers, I’ll just use k8s (and get cool stuff like cilium and a bunch of [usually outdated] documentation)

                1. 1

                  What drivers are missing from your perspective? especially which ones that you can’t easily accomplish with either exec, or raw_exec?

                2. 2

                  We use Nomad, and it works well for us. It doesn’t depend on Docker, has drivers for exec, raw_exec, rkt, docker, JVM, etc). It’s pretty easy to turn up and maintain as well, which is a HUGE win over k8s.

                  Nomad supports zero-downtime upgrades, it even allows you to push N instances of the new version into production, while keeping X copies of the old version running, and then manually approve the new version, and then it will turn off the X old copies and finish turning on the new version.

                  1. 2

                    Ed Schouten ported Kubernetes to FreeBSD… with CloudABI apps. So of course it’s possible to write a runner for jails too. When I finally get around to writing a new cool “Docker-ish-but-without-the-suck-parts” jail management tool, I’ll probably write that as well :D

                    But yeah, Nomad sounds very good indeed, much less over-engineered.

                  1. 1

                    What are the main differences between OpenBSD and FreeBSD? I’ve been using FreeBSD for some time now and have had very few issues, although the Intel graphics driver dies every few weeks forcing a restart. That said, I need to upgrade to 11.1.

                    1. 3

                      They are very different. So you’d need to give a bit of context for that question.

                      But maybe it’s worth mentioning how different they are. NetBSD and FreeBSD started out nearly 24 years ago. They developed into rather different directions, had very different focuses (and no, that’s not just NetBSD working on a toaster). Somewhat over ten years ago OpenBSD forked from NetBSD. Today both operating systems are very different from each other.

                      One might say that code wanders between the project, which is true, but one has to keep in mind that this is also true for Linux and BSD. While this is harder, due to licensing, a lot of the developers still are willing to give permissions in regards to code. However, the kernel isn’t the most obvious thing to users anyway, in most cases, other than “which hardware” and “which file systems” are supported, but even there there is FUSE.

                      In other words, they are about as different as two Unix derivatives can get, but also not more than that. They have a somewhat different community and culture, but also not more different than different open source operating systems.

                      What you will notice is that OpenBSD is a bit slower and a bit more focused on simplicity. Even though the performance part depends a bit on use cases.

                      I’d hugely suggest to try it out though. Like different programming languages it can extend your horizon. At least for me trying out the different BSDs back in 2005 and the following years did. They are all general purpose operating systems, so don’t be blended by the typical categorization of saying that OpenBSD is fast, NetBSD is portable and FreeBSD is performant and has a lot of divers (even though that’s probably more true for DragonFly BSD these days).

                      What is rather amazing about all of them is how incredibly much each of them manages to get done, despite having a comparatively (compared to Linux) small amount of committers. They all have quite a few edges over other, similar projects, have research going on, while still remaining perfectly usable general purpose operating systems.

                      1. 4

                        Somewhat over ten years ago OpenBSD forked from NetBSD.

                        Somewhat over ten years being over 20 years ago.

                        1. 5

                          look, for some of us, thirty years ago will always be the 70s.

                      2. 2

                        FreeBSD and OpenBSD are similar in that they’re both direct descendants of Unix, by way of 386BSD and 4.4BSD-Lite. Compared to Linux they are more conservative with design decisions, and have much better documentation quality.

                        FreeBSD is the larger project. They have more manpower and more code. Personally I think of them as a more conservative Debian. Features include: ZFS support in the kernel, the bhyve hypervisor, a Linux binary compatibility layer, and support for Wine and Steam. Nvidia graphics cards are well-supported. They also care a lot about performance: their TCP/IP stack is one of the best, and they forked the pf firewall to add multicore support. They also have the largest ports tree. Netflix uses FreeBSD for many of their servers.

                        OpenBSD is much more aggressive about simplicity of implementation. Dead or broken code is deleted from the tree. They’ve developed a reputation for security but it seems to derive from simplicity of implementation, which is their primary concern. When a legacy component seems broken, they’re not afraid to refactor or reimplement it: LibreSSL, doas, and pledge are all OpenBSD success stories. The vmm/vmd hypervisor is up-and-coming. While not as far along as bhyve, it is capable of running Linux guests. OpenBSD has also taken a hardline stance against blobs in the kernel, which means AMD (with the open-source radeon driver) is a better bet than Nvidia. OpenBSD is arguably the best BSD for laptops, assuming you have supported hardware.

                        Capsicum vs Pledge is a great example of FreeBSD vs OpenBSD. Both projects attempt to achieve the same thing: restrict program permissions so they do less damage if misbehaving. Capsicum is a complex capabilities-based system which is very sophisticated and took years to write. Adjusting programs to use capsicum is usually hard work. In contrast, pledge is a simple privilege-dropping syscall developed in a few months. Adding pledge to a program is often just a 2-line diff. [Pledge slides]

                        1. 1

                          Lots of insights, but a few questions came up.

                          OpenBSD is arguably the best BSD for laptops

                          Why? One could argue that both DragonFly and MacOS might be better. But then it is for hardware reasons, which you seem to have excluded from that statement.

                          Netflix uses FreeBSD for many of their servers.

                          Do you know if they use it outside of Open Connect?

                          their TCP/IP stack is one of the best

                          Measured by what?

                          1. 1

                            DragonflyBSD laptop support seems rather limited. MacOS has BSD code in userspace but I wouldn’t really call it “a BSD”. Even Windows had BSD code in userspace.

                            Your questions about Netflix and the TCP/IP stack are related: they chose it for performance. Netflix probably has servers that aren’t FreeBSD, but they definitely use it for their content delivery.

                            When it comes to raw performance, especially in terms of system load per packet, nothing beats FreeBSD. This has been true for as long I can remember.

                            https://www.quora.com/Why-did-Netflix-choose-FreeBSD-over-Linux

                        2. 2

                          You need to upgrade to -CURRENT :)

                          OpenBSD is focused on security and simplicity. It has a ton of exploit mitigation features (though there’s HardenedBSD, a FreeBSD fork with a lot of these). OpenBSD lacks a lot of features a FreeBSD power user would be used to. No jails, no DTrace, no ZFS… going from a modern CoW FS with snapshots and stuff to old UFS/FFS makes me very sad.

                        1. 1

                          I have one (erm, three) and it is wonderful. Do I wish it was thinner and had like usb-c charging? Sure.

                          1. 2

                            If you don’t mind my asking, how much does it weigh, and what’s the battery life you get?

                            4W draw at 32Wh means he could get something like 8h battery life – which is very attractive to me. I currently use a MacBook predominantly for the massive battery performance, but also because it’s so light, but I might trade a little weight and a little battery for a nice keyboard and good Linux support.

                            1. 4

                              FWIW if you can stand a 16:9 display, an official Lenovo Thinkpad T470 has a cheap battery upgrade option that doubles the battery life to 16 hours. 96Wh total (24 internal battery + 72 external). 3.9 pounds with the bigger battery. https://www.laptopmag.com/reviews/laptops/lenovo-thinkpad-t470

                              Compare with MacBook Pro 13” 3.02 pounds, 15” 4.02 pounds.

                              1. 3

                                I’m using a 12” MacBook, not Pro: i7 16GB ram it’s more than powerful enough for what I need to take on the road, but that keyboard. Ugh.

                                4lbs sounds like too much to me, but wow 16 hours of battery sounds incredible.

                                1. 1

                                  IIRC, the X270 can get quite a bit more, and is even lighter.

                                  FWIW, I’ve tried the 12” MacBook keyboard in store and didn’t have many problems with it; though that’s not extended use. I’m coming from a ThinkPad X201, for reference. The bigger loss is no TrackPoint.

                                  1. 1

                                    huh. I’ll look into that as well. Thanks.

                                  2. 1

                                    The new 12” MacBooks have the second gen butterfly keyboard which is much better.

                                    1. 2

                                      It’s one of the new ones (i7, 16GB ram, etc)

                                      Keyboard is ok but the low travel is annoying for extended use.

                                      1. 1

                                        I’m one of those weird people who vastly prefers v1 of that keyboard compared to v2.

                                  3. 1

                                    No idea. I have but old, OEM batteries. Have not yet found newer after market ones.

                                1. 3

                                  The link to 51nb just took me to a Facebook captcha page. Is the “order form” basically post on Facebook and send money and wait?

                                  1. 4

                                    As you are an OpenBSD developer, I’m happy to have one smuggled to you via hackathon. I tried to do that for bryan without success.

                                    But yes, the fb page puts you in touch with jacky who takes your money and ships you things six weeks later.

                                    1. 5

                                      Oh, thanks, but I’m pretty happy with the X1. The new keyboard suits me.

                                      I was mostly curious. And it’s somewhat funny. All the failed hardware kickstarters with super polished demo videos that never ship, and here’s “dude with a spreadsheet” getting things done.

                                    2. 1

                                      this is the link to the batch that is reviewed, don’t use it, it’s old https://docs.google.com/forms/d/e/1FAIpQLSeFFHJnlP5oITwFJGAIUaZj0ndVULMS_p4JnpbP3OITV75HdA/viewform?c=0&w=1

                                    1. 2

                                      I use fastmail (generally like it) and Route53 (only because feature rich anycasted services dont have ‘individual’ plans, and others with smaller plans dont have a considerable anycasted reach. Route53 is the in-between for me)

                                      Everything else I use is self hosted.

                                      1. 1

                                        why are all the infosec people I follow charitably saying this is theatre at best and doesn’t do anything for any kind of attack?

                                        1. 8

                                          The most common negative response I have seen is that this can be bypassed if an attacker knows the addresses they will write their rop chain to. This is true, but it is not the case that all attacks know the addresses where the rop chain goes. The @grsecurity response is interesting, since they point out that this idea has been seen before (quite some time ago - in 1999 and 2003). If you have heard other specific criticisms, then I’d be interested to hear them.

                                          The next iteration of this doesn’t have to use the stack pointer - it can use something stronger. Step 1 is getting the ecosystem working with mangled return addresses. For this, the stack pointer is cheap and easy.

                                        1. 3

                                          iirc, the first time they did this was because OpenBSD was “randomly” chosen. I am surprised they’ve done it again. you’d think Google would donate something seeing how a not trivial part of the Android code base uses OpenBSD code.

                                          and, of course, OpenSSH.

                                          1. 1

                                            seems like a trivial amount – why doesn’t the PSF pay for half if not all of that??

                                            1. 5

                                              Because no one has written a grant application to get the money. I’m also not sure that the PSF hands out grants that big for code development efforts.

                                              1. 2

                                                Biggest grant I can find by the PSF is 10k https://www.python.org/psf/records/board/resolutions/

                                                1. 2

                                                  I don’t imagine them really wanting to give people a reason to change the defacto standard python away from one they control.

                                                  1. 5

                                                    The PSF doesn’t control CPython, and doesn’t care which Python you use, as long as you use Python :-)

                                                    (Source: Former PSF board member)

                                                    1. 1

                                                      I stand corrected, thanks!

                                                1. 2

                                                  QUIC is cool, but is updating TCP really impossible? Multipath TCP is a thing, and Apple is already using it for Siri.

                                                  1. 5

                                                    MTCP does not solve the stalling flow problem (head of line blocking) due to packet loss and waiting on that retransmit to get through.

                                                    QUIC also has a 0 (zero) RTT cryptographically secure(ish) HTTP request mode; akin to the whole TCP 3 way handshake, SSL handshake and HTTP request rolled up into a single compact UDP packet so the request is serviced immediately by the server.

                                                    1. 6

                                                      QUIC annoys me, because it’s a massive layering violation. It bakes in HTTP, when all I want is a better TCP – Something like CurveCP, which has zero roundtrips, and does encryption and authentication in one go.

                                                      1. 7

                                                        Guess you hate BTRFS and ZFS too?

                                                        I don’t think Google designed QUIC for you, so kinda irrelevant what you want or what I want :-)

                                                        Besides you said you have CurveCP so what is the problem?

                                                        CurveCP violates ‘layering’ in the same way that QUIC does, so I am not sure what you mean here? Nothing about QUIC prevents you sending non-HTTP traffic over it. QUIC is more a DCCP+DTLS+TLSv1.3-RTT0 rolled into one; done outside of the IETF initially as it was a prototype that no-one knew what would work?

                                                        What would you have done differently to avoid layering violation and to make your entire service (inc browser support) 0RTT in a span of months?

                                                        If you wanted to gripe about something you should probably grumble about DCCP/SCTP, but then this ignores the sane technical reasons QUIC (and CurveCP) violate these layers is because of all the god awful middleware that make up the routing hops.

                                                        If you have the time, read about RINA and also the fun presentation by John Day title Shortening the Dark Ages of Networking (.mov)…it might sway your opinion to maybe that layering is actually sometimes the problem. :-)

                                                        1. 1

                                                          maybe long-term public keys could be a replacement for ip numbers.

                                                          1. 1

                                                            What are your thoughts on routing and what does a public key improve on over an 2^80 IP block allocation?

                                                            1. 1

                                                              If it’s all public keys, encryption is the default (although with tiny keys).

                                                              1. 1

                                                                What advantages does this have over just setting a reverse DNS lookup record and including the public key in something like a TXT RR or maybe some formalised X509 RR?

                                                                We could do this with IPv4 today, but as no one is I am not really sure what this would solve over host transport IPsec?

                                                                Plus routing is the hard part of a protocol…not how many bits are in the address or if you slip something cryptographic in there, surely?

                                                              2. 1

                                                                Definitely not thought through: but public key can be self allocated and works well in a encrypt-by-default world. You’d need something like dns …

                                                              3. 1

                                                                networking ASIC designers would like to have a few words with you…

                                                          1. 2

                                                            nvi v1.* is horribly buggy. There is nvi2

                                                            https://github.com/lichray/nvi2

                                                            I do wish it could be ported to more platforms.

                                                            1. 1

                                                              I am not much of a nvi power user. what kind of bugs are there? also, thank you for sharing nvi2 – I’d never heard of it until now.

                                                              1. 1

                                                                nvi2 is mentioned in the linked post :^)

                                                            1. 2

                                                              where do I know algebraic effects from? as in, where is it applied in CS topics?

                                                              1. 7

                                                                Here, basically. :) They’re an alternative to monads, formally a weaker (less general) abstraction, which therefore optimizes better. Specifically, unlike a monad, an algebraic effect can’t affect flow control except in certain very specific ways, which means there’s no explicit AST-like “backbone” of your code at runtime. So they can encapsulate side-effects (the State monad), but can’t encapsulate novel programming paradigms such as Prolog-style constraint-logic programming (the List monad).

                                                                1. 4

                                                                  I’m pretty sure algebraic effects can handle Prolog-style “search, accumulate successful results, backtrack on failure”. Check the slide titled “Eff: Dynamic Effects (2)” here.

                                                                  1. 2

                                                                    Interesting… I am not sure I understand it, I’d need to play around a bit in a repl or something.

                                                              1. 4

                                                                My proposal: Bitcorn, the first digital currency backed by physical kernels of corn. This overcomes the common complaint from internet commenters that bitcoin “isn’t real”.

                                                                1. 5

                                                                  and burn down the crops in an effort to control inflation :D

                                                                  “Thank you. Since we decided a few weeks ago to adopt the leaf as legal tender, we have, of course, all become immensely rich.”

                                                                  :The Restaurant at the End of the Universe, Douglas Adams RIP

                                                                  1. 2

                                                                    Can I use gold to back this coin instead of corn at the current market corn/gold exchange rate? It’s just easier for me to store gold than corn.

                                                                    1. 1

                                                                      How do you link physical objects to a private key with a decentralized certainty/authority?

                                                                      This ear has this private key…..says who?

                                                                    1. 2

                                                                      Super clear and complete! I would just have liked some links or tips to harden this a bit, if the author has some references, would be great!

                                                                      1. 13

                                                                        It’s OpenBSD, so just relax. Hardening is built-in and enabled by default.

                                                                        1. 3

                                                                          While true, we mustn’t become complacent.

                                                                          1. 4

                                                                            Thats why you keep your OpenBSD installs regularly updated.

                                                                            1. 2

                                                                              But you are running a vpn service with a weak cipher?

                                                                              1. 1

                                                                                the defaults are depreciated or compromised? news to me.

                                                                                the only reason “weaker” ciphers are included is for backward compatibility with end points that support nothing else.

                                                                                1. 1

                                                                                  I’m referring to following the guide & deploying a service with modp1024. Not the defaults in OpenBSD.

                                                                          2. 2

                                                                            While it’s a decent configuration, doing IKEv2 with the chacha20-poly1305 ciphers as described here is more secure in my opinion. That being said it won’t work for clients that don’t have the cipher baked in as it violates the RFC (in fact I think only OpenIKED has support).

                                                                            1. 4

                                                                              Indeed, you have to opt for the insecure modp1024 option with OS X clients, because with higher settings it’s not possible OS X client to connect using systems prefs client as described in the guide. (issue is on the OS X side)

                                                                        1. 1

                                                                          Isn’t IPsec reportedly broken? There’s nothing official of course, but slides from NSA are leaked: http://www.spiegel.de/media/media-35529.pdf

                                                                          OpenVPN looks much better.

                                                                          1. 2

                                                                            By what metric does OpenVPN look better?

                                                                            1. 3

                                                                              Security, flexibility. It’s also far simpler. Read e.g. https://www.schneier.com/academic/paperfiles/paper-ipsec.pdf

                                                                              1. 2

                                                                                while I generally agree simpler often leads to more secure, that paper is from 1999. the IPsec code in OpenBSD is widely used, well tested, and has not suffered the plethora of CVEs the OpenVPN code base continues to suffer.

                                                                                to each their own, but I would (and do) run base OpenBSD code for VPN duties before anything else, including OpenVPN.

                                                                                1. 2

                                                                                  It’s not about the security of OpenBSD’s IPsec implementation vs OpenVPN, but the security of IPsec itself vs OpenVPN. So not about implementation, but the standard itself.

                                                                          1. 4

                                                                            I am trying to, and retrying, and still hoping I can eventually, boot strap OpenStack from baremetal.

                                                                            The options are many and the documentation… maddeningly not accurate or useful. Makes me love OpenBSD documentation all the more.

                                                                            1. 6

                                                                              c-cube does a lot of great work in Ocaml. I’m a user of his stdlib replacement, containers, which has most of the functionality I want and more lightweight than Jane St’s Core Suite.

                                                                              1. 4

                                                                                Thank you for this comment, I took a look c-cube’s other repositories and they’re chock full of good stuff.

                                                                                You should submit some of them! @pushcx doesn’t need anymore sweet Internet points. ;-)

                                                                                1. 3

                                                                                  Seriously. I have >150 stories in my backlog right now. You/apy should submit one ocaml repo a week, get that tag kicking.

                                                                                2. 3

                                                                                  Also he is very active on IRC and open for suggestions which is fantastic if you don’t know how something works or have suggestions for features.

                                                                                  1. 1

                                                                                    which server & channel?

                                                                                    1. 3

                                                                                      #ocaml on Freenode.

                                                                                1. 4

                                                                                  At work I’m making a tool for distributing traffic between multiple datacenters. DNS and anycast seem like blunt tools. Thinking of supporting utilizing H2 alt-svc records. They are like a H2-level CNAME.

                                                                                  1. 1

                                                                                    They are blunt, but ultimately how traffic and requests are steered.

                                                                                    What is H2?

                                                                                    1. 1

                                                                                      HTTP/2

                                                                                      It has the concept of a an alt-svc record which is a bit like a redirect or CNAME, but transparent to the browser. Your url bar continues to say https://awesome.com/ even though awesome.com sent an alt-svc record and sent you to https://edge-1.awesome.com/

                                                                                      It’s not really an alternative to a load balancer, but could be used to shed load that anycast was distributing unequally.